Test ikev2/ocsp-rfc4806-local

strongSwan KVM Tests / ikev2 / ocsp-rfc4806-local

Test ikev2/ocsp-rfc4806-local

Description

By setting revocation = strict in swanctl.conf, a strict CRL policy is enforced on both roadwarrior carol and gateway moon.

Based on RFC 4806, carol sends an OCSP request via an IKEv2 CERTREQ payload to gateway moon which in turn requests online status information on its own certificate from the OCSP server winnetou on behalf of carol. The OCSP server winnetou possesses a self-signed OCSP signer certificate that must be imported locally by the peers into the /etc/swanctl/x509ocsp/ directory.

An authorities section in moon's swanctl.conf defines an OCSP URI pointing to the OCSP server winnetou.

carol can successfully initiate an IPsec connection to moon since the status of both certificates is good.

console.log

moon

swanctl.conf
swanctl --list-conns
swanctl --list-certs
strongswan.conf
ipsec.sql

swanctl --list-sas|--list-pols
swanctl --list-pools
swanctl --list-authorities
swanctl --stats|--list-algs
auth.log
daemon.log

ip -s xfrm policy
ip -s xfrm state
ip route list table 220
iptables -L
iptables-save

carol

swanctl.conf
swanctl --list-conns
swanctl --list-certs
strongswan.conf
ipsec.sql

swanctl --list-sas|--list-pols
swanctl --list-pools
swanctl --list-authorities
swanctl --stats|--list-algs
auth.log
daemon.log

ip -s xfrm policy
ip -s xfrm state
ip route list table 220
iptables -L
iptables-save